802.1X: W2k to 3550 with CS ACS problem

Unanswered Question

Hi!


I tried to set up 802.1X authentication for W2k (with Q313664_W2K_SP4_X86_EN.exe applied) and 3550 EMI with CS ACS 3.1, but it doesn't work (both EAP-MD5 and PEAP). The PEAP-user 'test2' is in the Win2K database on the same machine as RADIUS server (no domain controller involved. I can successfully telnet to the 3550 as 'test2', but when I try 802.X I see in the Failed Attempts Report an authentication failure with the Authen-Failure-Code=Unknown. In this report I also see the correct (Default) group assigned and client's MAC in the Caller-ID field.


I believe that ACS and 3550 configurations are ok, but something is wrong with the authentication.

The Default CS ACS group is set up with only 3 attributes: 64(Tunnel-Type) = VLAN, 65(Tunnel-Medium-Type) = 802, 81(Tunnel-Private-Group-ID) = 100.


Please help or point me to a HOWTO document on how to troubleshoot 802.1X with the debug output like this (PEAP case):


Sep 17 15:06:59.775 MSK: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/2

Sep 17 15:06:59.775 MSK: dot1x-ev:Received pkt saddr =00a0.c9a7.dedf , daddr = 0180.c200.0003,pae-ether-type = 34958

Sep 17 15:06:59.775 MSK: dot1x-ev:Couldn't find a supplicant block for mac 00a0.c9a7.dedf


Sep 17 15:06:59.779 MSK: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 11EF8C8

Sep 17 15:06:59.779 MSK: dot1x_auth Fa0/2: initial state auth_initialize has enter

Sep 17 15:06:59.779 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_initialize_enter called

Sep 17 15:06:59.779 MSK: dot1x-ev:auth_initialize_enter:00a0.c9a7.dedf: Current ID=0


Sep 17 15:06:59.779 MSK: dot1x_auth Fa0/2: during state auth_initialize, got event 0(cfg_auto)

Sep 17 15:06:59.779 MSK: @@@ dot1x_auth Fa0/2: auth_initialize -> auth_disconnected

Sep 17 15:06:59.779 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_disconnected_enter_action called

Sep 17 15:06:59.779 MSK: dot1x-sm:

dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZED

Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/2

Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUTHORIZED


Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_update_port_status: using mac 00a0.c9a7.dedf to send port to unauthorized on vlan 0


Sep 17 15:06:59.779 MSK: dot1x-ev:Found a supplicant block for mac 00a0.c9a7.dedf 11F1160


Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0


Sep 17 15:06:59.779 MSK: dot1x-ev: GuestVlan configured=0


Sep 17 15:06:59.779 MSK: dot1x-ev:supplicant 00a0.c9a7.dedf is last


Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/2

Sep 17 15:06:59.779 MSK: dot1x_auth Fa0/2: idle during state auth_disconnected

Sep 17 15:06:59.779 MSK: @@@ dot1x_auth Fa0/2: auth_disconnected -> auth_connecting

Sep 17 15:06:59.779 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_connecting_enter called

Sep 17 15:06:59.779 MSK: dot1x_bend Fa0/2: initial state dot1x_bend_initialize has enter

Sep 17 15:06:59.779 MSK: dot1x-sm:Dot1x Initialize State Entered

Sep 17 15:06:59.779 MSK: dot1x_bend Fa0/2: initial state dot1x_bend_initialize has idle

Sep 17 15:06:59.779 MSK: dot1x_bend Fa0/2: during state dot1x_bend_initialize, got event 16383(idle)

Sep 17 15:06:59.779 MSK: @@@ dot1x_bend Fa0/2: dot1x_bend_initialize -> dot1x_bend_idle

Sep 17 15:06:59.779 MSK: dot1x-sm:Dot1x Idle State Entered

Sep 17 15:06:59.779 MSK: dot1x-ev:Created port supplicant block 00a0.c9a7.dedf expected_id=1 current_id=1


Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/2

Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/2

Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 00a0.c9a7.dedf


Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_tx_eap: EAP Ptk

Sep 17 15:06:59.779 MSK: dot1x-ev:EAP-code=REQUEST

Sep 17 15:06:59.779 MSK: dot1x-ev:EAP Type= IDENTITY

Sep 17 15:06:59.779 MSK: dot1x-ev:ID=0

Sep 17 15:06:59.779 MSK: dot1x-registry:registry:dot1x_ether_macaddr called

Sep 17 15:06:59.783 MSK: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/2

Sep 17 15:06:59.783 MSK: dot1x-ev:Received pkt saddr =00a0.c9a7.dedf , daddr = 0180.c200.0003,pae-ether-type = 34958

Sep 17 15:06:59.783 MSK: dot1x-ev:Found a supplicant block for mac 00a0.c9a7.dedf 11F1160

Sep 17 15:06:59.783 MSK: dot1x-packet:Received an EAP packet on interface FastEthernet0/2

Sep 17 15:06:59.783 MSK: dot1x_auth Fa0/2: during state auth_connecting, got event 6(rxRespId)

Sep 17 15:06:59.783 MSK: @@@ dot1x_auth Fa0/2: auth_connecting -> auth_authenticating

Sep 17 15:06:59.783 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_connecting_exit alled

Sep 17 15:06:59.783 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_authenticating_enter called

Sep 17 15:06:59.783 MSK: dot1x-ev:sending AUTH_START to BEND for supp_info=11F1160

Sep 17 15:06:59.783 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_connecting_authenticating_action called

Sep 17 15:06:59.783 MSK: dot1x-ev:Received AuthStart from Authenticator for supp_info=11F1160

Sep 17 15:06:59.783 MSK: dot1x_bend Fa0/2: during state dot1x_bend_idle, got event 1(auth_start)

Sep 17 15:06:59.783 MSK: @@@ dot1x_bend Fa0/2: dot1x_bend_idle -> dot1x_bend_response

Sep 17 15:06:59.783 MSK: dot1x-sm:Dot1x Response State Entered for supp_info=11F1160 hwidb=EA9724, swidb=EAAA58 on intf=Fa0/2

Sep 17 15:06:59.783 MSK: dot1x-ev:Managed Timer in sub-block attached as leaf to master

Sep 17 15:06:59.783 MSK: dot1x-sm:Started the ServerTimeout Timer

Sep 17 15:06:59.783 MSK: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 10

Sep 17 15:06:59.783 MSK: dot1x-ev:Got a Request from SP to send it to Radius with id 1

Sep 17 15:06:59.783 MSK: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0

Sep 17 15:06:59.783 MSK: dot1x-ev:Inserted the request on to list of pending requests

Sep 17 15:06:59.787 MSK: dot1x-ev:Found a free slot at slot 0

Sep 17 15:06:59.787 MSK: dot1x-ev:Found a free slot at slot 0

Sep 17 15:06:59.787 MSK: dot1x-ev:Request id = 1 and length = 10

Sep 17 15:06:59.787 MSK: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/2

Sep 17 15:06:59.787 MSK: dot1x-ev:Username is test2

Sep 17 15:06:59.787 MSK: dot1x-ev:MAC Address is 00a0.c9a7.dedf

Sep 17 15:06:59.787 MSK: AAA: parse name=FastEthernet0/2 idb type=-1 tty=-1

Sep 17 15:06:59.787 MSK: AAA: name=FastEthernet0/2 flags=0x15 type=7 shelf=0 slot=0 adapter=0 port=2 channel=0

Sep 17 15:06:59.787 MSK: AAA: parse name=<no string> idb type=-1 tty=-1

Sep 17 15:06:59.787 MSK: AAA/MEMORY: create_user (0x11F1700) user='test2' ruser='test2' port='FastEthernet0/2' rem_addr='' authen_type=EAP service=802.1x priv=1

Sep 17 15:06:59.787 MSK: dot1x-ev:MAC Address copied is 00a0.c9a7.dedf

Sep 17 15:06:59.787 MSK: AAA/AUTHEN/START (3235410336): port='FastEthernet0/2' list='Dot1x Acc List' action=LOGIN service=802.1x

Sep 17 15:06:59.787 MSK: AAA/AUTHEN/START (3235410336): using "default" list

Sep 17 15:06:59.787 MSK: AAA/AUTHEN/START (3235410336): Method=radius (radius)

Sep 17 15:06:59.787 MSK: RADIUS: ustruct sharecount=1

Sep 17 15:06:59.787 MSK: RADIUS: added cisco VSA 2 len 15 "FastEthernet0/2"

Sep 17 15:06:59.787 MSK: RADIUS: EAP-login: NAS Port = 00-a0-c9-a7-de-df RemAddr =00a0.c9a7.dedf

Sep 17 15:06:59.787 MSK: RADIUS: EAP-login: length of radius packet = 123 code = 1

Sep 17 15:06:59.787 MSK: RADIUS: Initial Transmit FastEthernet0/2 id 3 xxx.yyy.83.51:1812, Access-Request, len 123

Sep 17 15:06:59.787 MSK: Attribute 4 6 C1E85334

Sep 17 15:06:59.787 MSK: Attribute 26 23 0000000902114661

Sep 17 15:06:59.787 MSK: Attribute 61 6 00000000

Sep 17 15:06:59.787 MSK: Attribute 1 7 74657374

Sep 17 15:06:59.787 MSK: Attribute 6 6 00000002

Sep 17 15:06:59.787 MSK: Attribute 12 6 000005DC

Sep 17 15:06:59.787 MSK: Attribute 31 19 30302D61

Sep 17 15:06:59.791 MSK: Attribute 79 12 0200000A

Sep 17 15:06:59.791 MSK: Attribute 80 18 658AE09C

Sep 17 15:06:59.843 MSK: RADIUS: Received from id 3 193.232.83.51:1812, Access-Challenge, len 78

Sep 17 15:06:59.843 MSK: Attribute 79 8 01DB0006

Sep 17 15:06:59.843 MSK: Attribute 24 32 43495343

Sep 17 15:06:59.843 MSK: Attribute 80 18 D455DBCA

Sep 17 15:06:59.843 MSK: RADIUS: EAP-login: length of eap packet = 6

Sep 17 15:06:59.843 MSK: RADIUS: EAP-login: got challenge from radius

Sep 17 15:06:59.843 MSK: AAA/AUTHEN (3235410336): status = GETDATA

Sep 17 15:06:59.843 MSK: dot1x-ev:going to send to backend on SP, length = 6

Sep 17 15:06:59.843 MSK: dot1x-ev:Received VLAN is No Vlan

Sep 17 15:06:59.843 MSK: dot1x-ev:Enqueued the response to BackEnd

Sep 17 15:06:59.843 MSK: dot1x-ev:Sent to Bend

Sep 17 15:06:59.843 MSK: dot1x-ev:Received QUEUE EVENT in response to AAA Request

Sep 17 15:06:59.843 MSK: dot1x-ev:Dot1x matching request-response found

Sep 17 15:06:59.843 MSK: dot1x-ev:Length of recv eap packet from radius = 6

Sep 17 15:06:59.843 MSK: dot1x-ev:Received VLAN Id -1

Sep 17 15:06:59.843 MSK: dot1x_bend Fa0/2: during state dot1x_bend_response, got event 0(areq)

Sep 17 15:06:59.843 MSK: @@@ dot1x_bend Fa0/2: dot1x_bend_response -> dot1x_bend_request

Sep 17 15:06:59.843 MSK: dot1x-sm:Dot1x Request State Entered

Sep 17 15:06:59.843 MSK: dot1x-ev:dot1x_bend_request_enter:00a0.c9a7.dedf: Current ID=219

// truncated


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mschooley Mon, 09/22/2003 - 05:00
User Badges:

what messages are you getting on your radius server, looks like down at the bottom of this trace you are actually talking to radius server, but it is sending an invalid vlan back to switch. You may try switching to acs 3.2 also, there were a few problems with it an dot1x, don't remember what they were though.

Thanks for the replay.


I'll retry with ACS 3.2 next week.


One more question about 802.1X with VLAN assignment on W2k clients. Could you please tell me what works for now and what doesn't: 1) DHCP address assignment; 2) roaming profiles and login scripts.


Thanks again,

Oleg Tipisov,

REDCENTER,

Moscow


mschooley Mon, 09/22/2003 - 06:35
User Badges:

none of the above, however I have a new microsoft patch that I am trying this week that is supposed to solve those issues.

mschooley Wed, 09/24/2003 - 06:44
User Badges:

tried the new microsoft patch and it actually worked

mschooley Thu, 09/25/2003 - 05:41
User Badges:

the 2000 version hasn't been released to the public, but the xp version has, I would try contacting microsoft and see if they will give it to you.

Actions

This Discussion